IP addresses classified as personal data
Crucial verdict of the Court of Justice of the European Union
Legal Alert (28/2016)
In its judgment of 19 October 2016 (case C-582/14), the European Court of Justice decided that IP addresses may be classified as personal data. The verdict is of crucial importance for business operations of Internet services suppliers (ISP) in the entire European Union.
The Court’s verdict regarded Patrick Breyer, a member of the Pirate Party. Mr. Breyer sued Budesrepublik Deutschland and demanded a ban on collecting IP addresses of users viewing governmental websites by the German Government. The German Supreme Court had doubts as to whether IP addresses can be classified as personal data and thus addressed a prejudicial question to the Court of Justice of the European Union.
Pursuant to Article 2a) of Directive no. 95/46/EC, personal data “shall mean any information relating to an identified or identifiable natural person”. Article 6.1 of the Polish Act on personal data protection contains the same definition of the personal data. Lawyers have reached no agreement whether "identifiability" referred to in this definition shall be assessed:
- on a subjective basis, i.e. including only identification methods available for a given webmaster; or
- on an objective basis, i.e. including all potential identification methods available (also to third parties).
The German Government supported the subjective approach pointing out that IP addresses collected (“logged”) by governmental websites were not personal data since based on them, webmasters were not able to determine the names or addresses of their owners. Such data are usually available exclusively to Internet service providers (ISP), not to webmasters.
The Court has indirectly supported the subjective approach. It stated, though, that the German law has probably permitted webmasters to contact relevant bodies that can make ISP disclose the identity of IP address holders, in particular in the case of a hacker attack. At the same time, Recital 26 of Directive 95/46/EC states that “to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person” (in the Polish version of the Directive, translation of this fragment is imperfect). Therefore, if there are means likely reasonably to be used by a webmaster in order to identify a holder of a given IP address, according to the Court, IP addresses should be classified as personal data.
For whom the verdict is important?
The Court’s verdict is fully applicable to Polish businesses, since in Poland legal means are available that allow determining the identity of an IP address user (frequently applied in penal proceedings regarding Internet breach of copyrights). Although the decision regarded dynamic IP addresses, it applies to static ones as well on the a minori ad maius basis.
The judgment is important not only for ISP, but also for many businesses maintaining own websites, since recording IP addresses of users (e.g. for the purpose of subsequent identification of potential hackers) is a standard practice, and often includes even individuals who do not log in, but just view a website.
The statement that IP addresses are classified as personal data results in their inclusion in the scope of the Act on personal data protection. Therefore, webmasters are obliged among others to inform users that they are collecting such data, indicating the purpose of such collection and known or projected users of the data and to provide users with access to their own data.
In order to avoid the above obligations, a change in the manner of collecting IP addresses may be required. In particular, website owners may consider irreversible conversion of IP addresses to another string type (applicability of this approach may be therefore restricted to certain purposes), or the use of other means that disallow user identification.
Polish Ordinance on personal data protection
The judgment of the Court of Justice shall remain valid in the context of the new general Ordinance on personal data protection that will come into effect in 2018. Its definition of personal data is very similar to the one discussed here (or even broader in certain respects). Please note, though, that the new Ordinance provides for much tougher sanctions, in particular an administrative fine of up to four percent of the total annual global revenue of a given business or up to EUR 20 M (whichever higher).